[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


DNS problem - nslookup appends domain name and resolves IP address to the server's public ip

Posted on 2008-10-01
Medium Priority
Last Modified: 2010-04-21
Server 2003 has DNS problems and e-mails are getting stuck in the exchange queue.  This is what nslookup looks like (using experts-exchange as a test):

C:\Documents and Settings\Administrator>nslookup
Default Server:  ns-rec.isp.wdc.eggn.net

> experts-exchange.com
Server:  ns-rec.isp.wdc.eggn.net

Non-authoritative answer:
Name:    experts-exchange.com.company.net
Address:  66.7.x.x

There are two problems that I see:
1. Company.net is the AD domain name and it is appended to the end of each answer
2.  66.7.x.x is the public IP of the company's server (the WAN IP) and is obviously incorrect

The server has 2 NICS with active directory and DNS enabled.  The firewall is in bridging/invisible mode and one of the NICS on the server is WAN and the other is LAN.

And this is what an MX lookup looks like:

> set type=mx
> mail.cnn.com
Server:  ns-rec.isp.wdc.eggn.net

        primary name server = no-dyn-updates.san.yahoo.com
        responsible mail addr = postmaster.san.yahoo.com
        serial  = 2008100101
        refresh = 10800 (3 hours)
        retry   = 3600 (1 hour)
        expire  = 7084000 (81 days 23 hours 46 mins 40 secs)
        default TTL = 28800 (8 hours)

What the heck is going on?  No matter the MX record, it always ends up with a Yahoo name server.

I should also add that this a server I just took over admin duties for.  The previous technician had disabled DNS on the server back in April and was just relying on the ISP's DNS servers.
 I started work on the server a few days ago and turned on DNS and configured it as I usually do.  That's when the problem started.  And it looks like most e-mails are going out except for about a dozen domains.

Question by:PaulVA
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 71

Expert Comment

by:Chris Dent
ID: 22618192


The behaviour is expected if a Wildcard record exists for your domain. If you open up the DNS Console, so you have a record named * at all?


Author Comment

ID: 22618236
No wildcards found
LVL 71

Expert Comment

by:Chris Dent
ID: 22618382

But this is the public name server from your ISP?

> Address:

And that could well have a Wildcard?

The thing to note is that the client resolver will append suffixes (primary, and all in the search list) before it attempts the name alone.

For instance, if you have a search list like this:


And ask your client to resolve "www.google.com" it will ask for:


If at any point it receives an answer it will stop looking (a wildcard can give an answer).

You can force the client to look up a name without that by suffixing a dot. e.g.:

nslookup www.google.com.

The dot terminates the name, no suffixes can be added.

We need to be using the internal DNS server anyway, the systems inside the network need to be able to resolve names within the AD domain for full functionality.

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.


Author Comment

ID: 22619974
That dot trick worked, I now get correct results for ns lookup.

It's nice to be able to use nslookup again but is it a BAD thing that I have to use a dot at the end of the lookup? is the primary DNS server of the ISP.
The workstations in the office use the server for DNS but it looks like the server itself relies on the ISP's DNS server.  Is there anyway to have the server use it's own DNS server?

And is this why e-mails are getting stuck in the queue or would that be a separate issue?


Author Comment

ID: 22621188
And I'm still wondering why all MX records have Yahoo information in them
LVL 71

Accepted Solution

Chris Dent earned 2000 total points
ID: 22622227

Okay, we have a number of issues to address. Before we do... the questions above need attention :)

> That dot trick worked, I now get correct results for ns lookup.

Yeah, it is a trick though :)

We need the search list and DNS itself configured so we don't get ambiguous results like this. I guess the AD Domain name is the same as the public domain name?

You do have a wildcard record in the public zone, I can lookup anything I want against your domain ;)

> The workstations in the office use the server for DNS but it looks like the server itself relies
> on the ISP's DNS server.  Is there anyway to have the server use it's own DNS server?

Coming back to this one.

> And is this why e-mails are getting stuck in the queue or would that be a separate issue?

Yes to this and the why for yahoo bit, but we'll get that fixed.

Okay, so we could use a little clarity.

The public domain name is as above, and the AD Domain Name matches that? If so, we should have a zone on your internal DNS server for that (AD absolutely requires it).

If that isn't your AD Domain Name, do you have an entry for your public domain in the DNS Suffix Search List if you run "ipconfig /all" on a client or server?

If the domain names are the same we'll have to do a bit of work to get your public services visible internally. That means adding a static "www" record to internal DNS (and any other record you might need).

We also have a limitation to contend with. Does anyone internally access your public website on http://domain.com? That is, rather than http://www.domain.com?


Author Closing Comment

ID: 31502122
Chris, your input was a huge help and I can't thank you enough for fixing my DNS issues.  I would be lost without you!

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question